Cloud Security: A New Perspective

© 2012 Cisco and/or its affiliates. All rights reserved. 1© 2010 Cisco and/or its affiliates. All rights reserved. 1
Wen-Pai Lu, Ph.D.
Cloud Security: A New Perspective
Technical Leader
CloudCon, 2014
Dalian, China

The Meaning of Cloud Quick recap
PublicPrivate HybridCommunity
Where?&&Deployment*Models*
Virtual
Private
What? Essential Characteristics (NIST)
Measured
Services
Rapid
Elasticity
Resource
Pooling
Self
Service Broad
Access
How?&Service*Models*
SaaS
PaaS
IaaS

Security is still the biggest obstacles to Cloud Adoption
#1 Security
policies
#2 Secure
Connectivity
#3 Changed
architecture
Integration
#4 QoS, SLAs,
WaaS, AVC, VPN
Forrester & Cisco report on Cloud market – 2013

It is all About
Data – Protecting
your Data is the
No. 1 Priority

Cloud Security is About …

Cloud Security: Defined
“In the Cloud”
Secure Cloud InfrastructurePrivate
Cloud
Virtualized
App Servers
In#the#Cloud:#Security)(products,)solu1ons))instan1ated)as)
an)opera1onal)capability)deployed)within)Cloud)
Compu1ng)environments.)Examples:))Routers,)Firewalls,)
IPS,)AV,)WAF,)…)

“For the Cloud”
Secure Cloud Access
Public
Cloud
Secure Cloud Infrastructure
For$the$Cloud:$Security)services)that)are)speciﬁcally)
targeted)toward)securing)OTHER)Cloud)Compu=ng)
services,)delivered)by)Cloud)Compu=ng)providers.)

“By the Cloud”
Cloud Security Services
Internet
Email
Web
Secure Mobility
By#the#Cloud:#Security)services)delivered)by)
Cloud)Compu3ng)services)which)are)used)by)
providers)
Securing Cloud Access

Infrastructure Security
Load
Balancer
SSL
Termination
Web App
Firewall
Firewall IDS/IPS
Public Cloud
(Hosted)
Enterprise Cloud
(Hosted)
SP
Broadband
Access
Access
Access
Virtualized Security in
Private Cloud:
•  vASA, ASAv
•  Nexus 1000v
•  VSG
•  TrustSec
Physical Security:
•  ASA
•  SourceFire
•  Trustsec
Secure bridging (#2)
•  Nexus 1000v InterCloud
VPC Isolation
Enabling virtualized Security in
Public Cloud (#1,#3):
•  VSG, ASA 1000v
•  Nexus 1000v
•  vASA
Enabling secure L3 access to
Cloud, WAN services (#2, #4)
•  CSR 1000v

•  More moving parts, ore
Complex,
•  Code Execution from VM Guest
to Host
•  Service Console Flaws
•  New Configuration Controls
•  Segmentation and Separation
•  Hypervisor Security
•  OS Security
•  Side Channel Attacks
•  Monitoring & Visibility
•  Virtual Security Products

Applications & Software

•  ISO 27001 Adherence
•  Power Supply
•  Cooling
•  Fire and Flood Damage
•  Facilities Access Right
•  Policy
•  Facility and Personnel
Monitoring
•  Physical Risk Assessments
•  Remediation Plan
•  Network Cable accessible in
public access area

•  Background Check
•  HR Hiring Policy
•  Security Awareness and Training
•  Ongoing data and system access
rights

•  Control Standards such as
SSAE 16 SOC 1 or SOC 2
•  PIC, HIPAA, FISMA, SOX, or
local standards
•  Baseline of Compliance Needs
•  “Boundaries” where Compliance
applies
•  Required Controls for
Compliance Mandates, like
GRC, CCM, etc.
•  Responsible Parties
•  Legal Impacts and
Ramifications

•  What is your BCP and DR
plan?
•  Who is responsible?
•  Which part of your DATA
should be included in the
planning
•  Backup Strategy
•  RTO & RPO Objectives
•  DR Process

1.  Data Breaches
2.  Data Loss
3.  Account or Service Traffic Hijacking
4.  Insecure Interfaces and APIs
5.  Denial of Services
6.  Malicious Insiders
7.  Abuse Cloud Services
8.  Insufficient Due Diligence
9.  Share Technology Vulnerabilities https://downloads.cloudsecurityalliance.org/initiatives/top_threats/
The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf

Where is Your DATA?

Cloud Security is all About….
•  Confidentiality
•  Integrity
•  Available
•  Compliance
•  Governance
•  Risk Management

•  Shift of Telco Business
moves toward Application
Centric
•  Business is Measured by $
per Services
•  Network Services move
from Appliance Centric to
Software-based
•  Cloud becomes Key
Enable in their New
Business Model
Voice Centric
Frame
Relay
ISDN
ATM
QAM
T1,
DS3
PSTN
SMDS
X.25
$ per Call
Data Centric
VOIP
L2/L3 VPNs
VOD
Streaming
Video
Triple
Play
Cellular
Data
IPTV
SP Wi-Fi
$ per mbs
Hosted
Collaboration
Elastic Load
Balancing
Disaster
Recovery
Security
AAS
Bandwidth
On-Demand
Cloud
Storage
Application
Centric
$ per Service
Wave of Business

Orchestra)on/Management & API per vService
Security As A Service & Threat Defense
Elastic Security Services Architecture
Internet
L2 VPN
L3 VPN
Ubiquitous Ethernet
Access Node
Satellite, EoMPLS,
MPLS-TP, etc Private Cloud
Residential
Customer
Remote POP
A9K Cluster
Managed
Router
vWAAS
Security
DPI
vASA
vWSA
SBC
3rd
Party
Hypervisor*
UCS**and/or*On*Box*Compute*Resources*
OS* OS* OS* OS* OS*
IronPort
Service insertion/chaining
UCS*or*VSM/Forge*
vASA
vWSA
SBC
Scansafe
SBC
Controller

New Cloud Service Offering by “CSP”
Software Define Network (SDN) Network Function Virtualization (NFV)
Business'Applica-ons'Business'Applica-ons'Business'Applica-ons'
Business'Applica-ons'
Business'Applica-ons'
Network'Services'
Network'
Services'
Control''
Layer'
Applica-on'Layer'
NFV'Orchestra-on'and'Management'
Compute' Network' Storage'
Hardware'Resources'
Virtualiza-on'Layer'
Virtual'
Compute'
Virtual'
Network'
Virtual'
Storage'
NFV'Infrastructure'(NFVI)'
VNF'
VNF'VNF'
VNF' VNF'
VNF'
VNF'
API' API'
API'
Infrastructure'
Layer'
OSS/BSS'

•  Application API vulnerability
•  Service Hijacking
•  Virtualization Attacks
•  Distribution Denial of Attacks
•  Hardware and Software Hardening
•  Malicious Insiders
•  Insufficient Due Diligence
•  Share Technology Vulnerabilities
•  Segmentation and Isolation
•  Identity of Devices, Users, Roles
and Location
•  Traffic Sniffing
•  Unified Cloud Access Security
•  Threat Visibility
•  Dynamic Security Enforcement
•  Security Ecosystem
•  And much more …

From Enterprises (End Users)
•  Information Security – Security of Data and
Services
•  Data Life Cycle – Generation, Use, Transfer,
Transformation, Storage, Archive and Destruction
•  IT Service Continuity – Business Continuity and
Disaster Recovery
•  Incident Management – how soon CSP can restore
services, and Intrusion Detection
•  Change Management – Standardize methods and
procedures for efficient of all changes
•  Data Loss and Breaches
•  Infrastructure Security – Network, Compute,
Storage, Access Control, etc.
•  Compliances and Standards
From Service Providers
•  Service Asset – for maintain information about
Configuration Items (CI) required to deliver
Cloud Services
•  Configuration Management
•  Demand Management – prepare for such
demands
•  Capacity Management – Availability of
sufficient capacity
•  Request Fulfillment – process for fulfilling
service request
•  Branding and Publicity
•  Service Availability – lose of Revenue and
Trust
•  Management and Operations

•  Cloud Security is not only about Data Protection
•  Data Protection includes both Data At Rest and Data In Transit
•  Need to Implement Data Life Cycle with CSP
•  Infrastructure Security provides required Protection for your Data in the Cloud
•  Need to do your due Diligent – Cloud Risk Analysis and Security Assessment
•  Other “Hard” Security Considerations include Identity and Access Management, Physical
Facilities Security, DR and BDP, and Intrusion Detection and Incident Responses
•  “Soft” Security Considerations include Compliances and Legal Considerations, Audit for
the Cloud, Policy, Contracts with CSP, and Governance
•  DO YOUR HOME WORK to know what YOU are Getting

Thank you.Thank you.

Backup

Cloud Security: A New Perspective

Cloud Security: A New Perspective

Recommended

More Related Content

What's hot (20)

Viewers also liked (17)

Similar to Cloud Security: A New Perspective (20)

Recently uploaded (20)

Cloud Security: A New Perspective